Rahul Sundaram wrote:
Mike McCarty wrote:
No, that was not my argument. My argument is that people are
commenting from a position of conjecture. There is no scientific
conclusive study showing that SELinux unarguably improves
security of machines.
There is. SELinux is MAC security framework and is based on scientific
studies over decades which clearly show their advantages. Again read
some of the work at NSA SElinux site.
Mandatory Access Control is not a thing, it is a technique. SELinux
is a thing, which may or may not be a good implementation of MAC.
Not one attack on my machine has made it past my router. Not one.
My router sometimes logs thousands of attempts per month. I've been
running since about October 2005. I'd say it's pretty debatable that my
machine would be more secure with SELinux enabled.
A machine running SELinux enabled is provably more secure than a machine
running merely a firewall or router. They are not comparable security
technologies.
A machine running current SELinux implementation is provably
less secure in some senses than one which is not.
Yes, they do. Because currently the onus is still on the
side of proponents of SELinux to show that it is conclusively
better than what already exists
... which they already have for those who bother to look.
I have already demonstrated that I have looked, I just disagree
with you.
I quote:
"the management of SELinux needs and will improve with the continuous
development of better user space tools"
That is faith, not a matter of technical fact.
It is a fact because actual development work is being done on these user
It is faith that SELinux will survive at all.
[snip]
So again, completely removing all SELinux libraries (as opposed to
merely turning it off) is very intrusive and significant amount of
effort that does not offer any significant advantages but if you want
really want to put the effort and send patches you are welcome to do so.
It is certainly easier than creating a different spin however which you
were advocating for.
Erm, ADDING SELinux was an intrusive effort, which is now difficult
to undo.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list